In response to the growing complexity of cyber attacks, Vectra Networks announced release of a real-time detection platform to protect organizations and government agencies from insider and target threats.
Vectra Networks, a leading innovator in real-time detection of in-progress cyber-attacks, brings network security and detection of advanced attacks to the inside of a network. Using a combination of dynamic community threat analysis and real-time detection, the Vectra X-series platform protects against cyberattacks by putting an organization’s key assets at the center of real-time investigations.
“If you look at any of the high-profile breaches or attacks from the past year, they all follow the same recipe – the attacker gets a foothold inside a network, and then spreads out going from machine to machine to either steal or destroy key assets,” Vectra Networks Chief Technology Officer Oliver Tavakoli told Homeland Security Today. “The problem is that the vast majority of real-time security solutions are designed for the perimeter, and by their nature they only see traffic as it enters or leaves a network. Vectra brings network security to the place where the majority of the attack occurs – the inside.”
The Vectra X-Series platform addresses deficiencies in traditional approaches to network security, which rely on perimeter technologies. Tavakoli indicated that perimeter defenses are insufficient in protecting against an insider threat, since they focus on traffic as it enters and leaves an environment, missing what goes on in the inside.
“This is akin to making a strongly guarded border the only line of national defense. Vectra brings visibility to the insideof a network where the majority of the attack steps occur,” Tavakoli said.
In addition, perimeter technologies have very short memories, looking for threats in the context of a single Internet session. Modern attacks today, however, use a multi-step approach with the initial exploit opening up to a larger one later.
“While perimeter security has a time horizon of seconds and minutes, Vectra has a time horizon of days, weeks and months. This combination gives us both the right visibility and the necessary patience to recognize truly sophisticated attacks,” Tavakoli said.
Damage that can be done by an insider is “almost limitless”
The leak of massive amounts of classified information by notorious former US defense contractor Edward Snowden revealed the potential damage an insider can cause a company’s network. In the wake of Snowden’s disclosures, however, many organizations are still not taking the insider threat seriously.
“Snowden’s revelations certainly have raised the visibility of insider threats in most organizations,” Tavakoli said. “However, it has also ironically made some organizations less focused on the problem, because they assume insiders are only a problem for networks with highly classified information. The fact is that employees have demonstrated a tendency to take data with them in virtually all types of organizations.”
By nature, insiders have privileged access to a company’s most sensitive information. This access allows an insider to abuse that access in an almost “limitless” amount of ways, said Tavakoli. The most common damage is theft and disclosure of sensitive information—including intellectual property and classified information—however, in some cases, the goal is cause damage.
Homeland Security Today recently reported that the Department of Homeland Security (DHS) published a report revealing a significant increase in the number of disgruntled or former employees sabotaging company networks. Investigations conducted by the FBI reveal 59 percent of employees admit to taking proprietary information upon termination.
“A review of recent FBI cyber investigations revealed victim businesses incur significant costs ranging from $5,000 to $3 million due to cyber incidents involving disgruntled or former employees,” the report stated.
Tavakoli agreed, saying, “Disgruntled employees have been implicated in trying to damage critical infrastructure after they were terminated, so the potential damage is virtually unlimited.”
Prevention: Key to mitigating the insider threat
Mitigating the insider threat requires organizations to approach security with a different mindset than they do when dealing with external threats.
“Dealing with insider threats requires organizations to think a little differently about security,” Tavakoli said. “External threats are often intuitively thought of in terms of ‘us’ and ‘them,’ and building systems that keep ‘them’ out. This model doesn’t apply well to insider threats. Dealing with insider threats forces security teams to think about their key assets first.”
Tavakoli assertd that the first and most important step in protecting against insider threats is to identify the key assets and resources in an organization, and then deploy the systems that can monitor them. Without visibility into those assets, organizations cannot protect them.
“It’s important to build baselines for what is normal in your network,” Tavakoli said. “Is it normal for a particular user to be in this part of the network? Does this user need access to this particular asset? Then, of course, it’s important to apply a data-centric view to those users and key assets. Which direction is data flowing, are there signs that a particular user is gathering up key data? These are just the basics of detecting an insider threat, but it’s also a good start.”
The Vectra X-series platform puts the protection of assets at the center of its real-time investigations. Using community threat analysis—a new way of identifying an insider threat—Vectra identifies which communities exist within networks by listening to internal network traffic. Vectra can instantly detect indictors of an attack, as well as an attacker’s proximity and impact to high-value assets.
“This real-time detection platform passively monitors all internal traffic for indicators of an attack in progress," Tavakoli said. "Most importantly, Vectra detects all phases of an attack and automatically correlates them back to specific hosts and the communities in which the hosts reside. This approach boils down an immense amount of data into a clear view that security teams can use to make informed, real-time decisions."
Community threat analysis can also identify both the malicious insider who intends to cause damage as well as the careless insider who causes harm to an organization through negligence.
For example, according to Tavakoli, “Vectra detects a behavior that we refer to as ‘data smuggler.’ We see this by observing the network traffic and correlating flows of data in and out of hosts. This detection could trigger due a malicious insider who is stealing sensitive data, or likewise could trigger if a negligent user is copying data up to his Dropbox account. Of course, we can always distinguish the true malicious insider by correlating this event with other malicious behaviors, but the concept of putting assets at the center of an investigation works equally well for both types of insiders.”
One of the keys to mitigating the insider threat is prevention. More often than not, organizations do not discover an insider breach until after it has occurred. At that point, “the affected organization finds its secrets already in the outside world,” Tavakoli said.
“Vectra aims to give security the real-time visibility and context to see an attack in progress and take action. Most attacks are only apparent in hindsight, and Vectra is designed to make these attacks obvious in real-time and before data is lost,” he concluded.